Skip to content

fix(safeoutputs): neutralize Stage 3 upload message command injection paths#501

Merged
jamesadevine merged 2 commits intomainfrom
copilot/fix-vso-command-injection-yet-again
May 11, 2026
Merged

fix(safeoutputs): neutralize Stage 3 upload message command injection paths#501
jamesadevine merged 2 commits intomainfrom
copilot/fix-vso-command-injection-yet-again

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 11, 2026
edited
Loading

Summary

Stage 3 safe-output executors were allowing Azure DevOps logging-command injection by printing agent-controlled file_path content in upload result messages. This PR hardens both the output sink and the upload input validators to block ##vso[ / ##[ injection sequences across the affected tools.

  • Output neutralization in Stage 3 execution path

    • execute.rs now neutralizes ExecutionResult.message before printing to stdout in log_and_print_entry_result, closing the shared sink used by all safe-output tools.

  • Upload file_path validation hardening

    • Added explicit rejection of ##vso[ and ##[ in:
      • upload-workitem-attachment
      • upload-build-attachment
      • upload-pipeline-artifact

  • Work item upload guard message fix

    • Replaced the content-guard failure message that echoed attacker-controlled filename with a constant safe message to avoid “double-injection” on rejection paths.

  • Focused regression coverage

    • Added targeted tests for the new file_path rejection behavior and Stage 3 message neutralization behavior.
// Stage 3 stdout hardening
let safe_msg = neutralize_pipeline_commands(&result.message);
println!("[{}/{}] {} - {} - {}", i + 1, total, tool_name, symbol, safe_msg);

Test plan

  • Added/updated focused unit tests for:
    • file_path rejection of ##vso[ and ##[ in all three upload tools
    • Stage 3 output neutralization behavior for result messages

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • spsprodeus21.vssps.visualstudio.com
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.2pg/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.1qpf12qtkcfjtw9v1g6hgjcfy.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.2qo/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.29rij194caixrejrzzqv6vmwq.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.371/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.29uzncd9tg5t8napfpq6fkqbj.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.397/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.2ebd6nvh5wzvfmehs50rq2co0.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.3g1/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.2elgnmxzag0hdgy2uim9a8e7p.15bwv5n.rcgu.o j2d1kp19qdbg8d9sogxp5ov.0mq58nw.rcgu.o hudh1sdngd18afke8mom3ck.0mq58nw.rcgu.o 6y9q1jf8l2g7p6pww1tlnqg.0mq58nw.rcgu.o 89zs3z0hkc0gsi5gqy9r6mx.0mq58nw.rcgu.o vrngwyi3rf038ls57medot4.0mq58nw.rcgu.o 6ld1tfvgm76tr568gs3h806.0mq58nw.rcgu.o jdjwsulumkp4apt1lqqwwqf.0mq58nw.rcgu.o tcbqqgr15y26jrzpzojy5yl.0mq58nw.rcgu.o vwyw4qau8row04yamh1u2tg.0mq58nw.rcgu.o rrqck80ug79b86ufp2jjx5v.0mq58nw.rcgu.o rfcrc7w9fv9la9nhhspzy5k.0mq58nw.rcgu.o 6b38rubtgyrpminynr4nm5j.0mq58nw.rcgu.o 96toy3jivs4056p69t1bs59.0mq58nw.rcgu.o kwso4ec2dpaa8xpfjcqn0s4.0mq58nw.rcgu.o (dns block)
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 --cfg feature="clock" --cfg --sh�� --format=json ,SC1091 bin/rustc --format=json ,SC1091 lcheck 7.so --sh�� agent.md --exclude=SC1090--json=diagnostic-rendered-ansi,artifacts,future-incompat lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld --format=json ,SC1091 eck lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld (dns block)
  • spsprodweu4.vssps.visualstudio.com
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.2pg/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.1qpf12qtkcfjtw9v1g6hgjcfy.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.2qo/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.29rij194caixrejrzzqv6vmwq.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.371/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.29uzncd9tg5t8napfpq6fkqbj.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.397/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.2ebd6nvh5wzvfmehs50rq2co0.15bwv5n.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/cli_tests-beb8db084d5b4f75.3g1/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/compiler_tests-3b7233ec49ad28cb.2elgnmxzag0hdgy2uim9a8e7p.15bwv5n.rcgu.o j2d1kp19qdbg8d9sogxp5ov.0mq58nw.rcgu.o hudh1sdngd18afke8mom3ck.0mq58nw.rcgu.o 6y9q1jf8l2g7p6pww1tlnqg.0mq58nw.rcgu.o 89zs3z0hkc0gsi5gqy9r6mx.0mq58nw.rcgu.o vrngwyi3rf038ls57medot4.0mq58nw.rcgu.o 6ld1tfvgm76tr568gs3h806.0mq58nw.rcgu.o jdjwsulumkp4apt1lqqwwqf.0mq58nw.rcgu.o tcbqqgr15y26jrzpzojy5yl.0mq58nw.rcgu.o vwyw4qau8row04yamh1u2tg.0mq58nw.rcgu.o rrqck80ug79b86ufp2jjx5v.0mq58nw.rcgu.o rfcrc7w9fv9la9nhhspzy5k.0mq58nw.rcgu.o 6b38rubtgyrpminynr4nm5j.0mq58nw.rcgu.o 96toy3jivs4056p69t1bs59.0mq58nw.rcgu.o kwso4ec2dpaa8xpfjcqn0s4.0mq58nw.rcgu.o (dns block)
    • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-3136f96127ec4700 --cfg feature="clock" --cfg --sh�� --format=json ,SC1091 bin/rustc --format=json ,SC1091 lcheck 7.so --sh�� agent.md --exclude=SC1090--json=diagnostic-rendered-ansi,artifacts,future-incompat lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld --format=json ,SC1091 eck lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue May 11, 2026 that may be closed by this pull request
🔴 Red Team Audit — High: VSO command injection via file_path in upload tool Stage 3 messages #499
Closed
@jamesadevine
fix(safeoutputs): block VSO command injection in upload file paths an…
576d9b2 
…d stdout messages

Agent-Logs-Url: https://github.com/githubnext/ado-aw/sessions/e5c9bc47-654c-4611-9ab5-62a953014ad5

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix VSO command injection via file_path in upload tool messages fix(safeoutputs): neutralize Stage 3 upload message command injection paths May 11, 2026
Copilot AI requested a review from jamesadevine May 11, 2026 06:22
@jamesadevine jamesadevine marked this pull request as ready for review May 11, 2026 06:51
@jamesadevine jamesadevine merged commit 45cd552 into main May 11, 2026
@jamesadevine jamesadevine deleted the copilot/fix-vso-command-injection-yet-again branch May 11, 2026 06:51
@github-actions github-actions Bot mentioned this pull request May 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jamesadevine jamesadevine jamesadevine approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jamesadevine jamesadevine

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🔴 Red Team Audit — High: VSO command injection via file_path in upload tool Stage 3 messages

2 participants

@jamesadevine